Shiro, Multi Factor Authentication -
is there way implement multi factor authentication in shiro? can give me hint on how implement this?
for more details: basic idea is, user needs login usual, using username , password, before being authenticated user needs enter one-time-token received sms.
thank you!
i solved problem on own, i'm of course open other suggestions.
i implemented own 2 - factor authentication flow:
first of changed url of login page, shiro redirects unauthenticated user own login page, leads authentication mechanism. user needs complete 2 "stages" login.
- on first stage he/she has provide username , password, if these valid, user redirected second stage of login.
- meanwhile, 1 time token has been generated , sent user via sms. user's authentication progress has been saved in session (which means remember, stage 1 completed successfully).
- on stage 2 user needs enter token. if token
- not valid or number of attempts (5) exceeded
- expired (after 5 minutes) number of attempts correctly enter token exceeded 4 user redirected stage 1 , progress deleted. i
- if went fine, user authenticated shiro (of course without letting him/her know)
in end user redirected page he/she requested, still allows him/her bookmark pages. of course shiro's remember-me deactivated.
Comments
Post a Comment